200 million Yahoo passwords being sold on the dark web?

Rumours are spreading of a huge breach at Yahoo.

200 million Yahoo passwords being sold on the dark web?

Joseph Cox at Motherboard writes:

A notorious cybercriminal is advertising 200 million of alleged Yahoo user credentials on the dark web, and the company has said it is “aware” of the hacker’s claims, but has not confirmed nor denied the legitimacy of the data.

On Monday, the hacker known as Peace, who has previously sold dumps of Myspace and LinkedIn, listed supposed credentials of Yahoo users on The Real Deal marketplace. Peace told Motherboard that he has been trading the data privately for some time, but only now decided to sell it openly.

Sign up to our free newsletter.
Security news, advice, and tips.

When a hacker advertises a huge horde of login details for sale there are often more questions than answers:

  • How many (if any) of the credentials are legitimate? There may be 200 million-or-so being sold, but that doesn’t mean you’ll be able to break into 200 million accounts.
  • What is the origin of the data? Has the data been collected through phishing attacks? Or Has the data been collated from the mega breach of another online service (like LinkedIn or MySpace), and just evidence that yet again folks have made the mistake of reusing passwords?
  • Are the credentials for current accounts or for old, stale accounts that may have been closed down or had their passwords changed long ago?
  • Is there any evidence of a security breach at Yahoo that could have resulted in login credentials spilling out? (This would be most worrying, but thankfully seems least likely)

Not all of these questions are necessarily easy to answer with absolute certainty.

But what is clear is that your Yahoo account will be a lot safer if you have enabled two-step verification and have learnt to never reuse passwords.

If you’re not being sensible about your online security, take appropriate steps now to harden your Yahoo account. Because even if this current scare ends up not impacting your account, there is always the danger that you could become a victim in the future.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

3 comments on “200 million Yahoo passwords being sold on the dark web?”

  1. Techno

    I wondered why they had been suggesting I change my password the last few days.

    Yahoo get brownie points for allowing 32 character passwords with special characters. I know this because I just checked and changed mine.

  2. SlipperyJim

    Wife and I have both been told to change our Yahoo passwords last week! I use 2SV on my phone so quite relaxed. I've used Lastpass to generate a really long password. I have my email addresses monitored on pwnedlist and a year ago was told that a twenty year old (simple one word) password had been found on a list!

  3. Simon

    It's hard to come across an uplifting article regarding Yahoo these days.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.